Thu Jul 27 01:03:02 UTC 2017
a/dbus-1.10.20-x86_64-2.txz: Rebuilt.
Don't demand high-quality entropy from expat-2.2.2+ because 1) dbus doesn't
need it and 2) it can cause the boot process to hang if dbus times out.
Thanks to SeB for a link to the bug report and patch.
+--------------------------+
Tue Jul 25 21:09:42 UTC 2017
n/bind-9.11.1_P3-x86_64-1.txz: Upgraded.
Fix a regression in the previous BIND release that broke verification
of TSIG signed TCP message sequences where not all the messages contain
TSIG records.
Compiled to use libidn rather than the deprecated (and broken) idnkit.
n/idnkit-1.0-x86_64-1.txz: Removed.

Thu Jul 27 01:03:02 UTC 2017
a/dbus-1.10.20-i586-2.txz: Rebuilt.
Don't demand high-quality entropy from expat-2.2.2+ because 1) dbus doesn't
need it and 2) it can cause the boot process to hang if dbus times out.
Thanks to SeB for a link to the bug report and patch.
+--------------------------+
Tue Jul 25 21:09:42 UTC 2017
n/bind-9.11.1_P3-i586-1.txz: Upgraded.
Fix a regression in the previous BIND release that broke verification
of TSIG signed TCP message sequences where not all the messages contain
TSIG records.
Compiled to use libidn rather than the deprecated (and broken) idnkit.
n/idnkit-1.0-i486-1.txz: Removed.

Fri Aug 11 23:02:43 UTC 2017
ap/cups-filters-1.16.1-x86_64-1.txz: Upgraded.
ap/mariadb-10.0.32-x86_64-1.txz: Upgraded.
ap/mpg123-1.25.6-x86_64-1.txz: Upgraded.
d/cmake-3.9.1-x86_64-1.txz: Upgraded.
d/git-2.14.1-x86_64-1.txz: Upgraded.
Fixes security issues:
A "ssh://..." URL can result in a "ssh" command line with a hostname that
begins with a dash "-", which would cause the "ssh" command to instead
(mis)treat it as an option. This is now prevented by forbidding such a
hostname (which should not impact any real-world usage).
Similarly, when GIT_PROXY_COMMAND is configured, the command is run with
host and port that are parsed out from "ssh://..." URL; a poorly written
GIT_PROXY_COMMAND could be tricked into treating a string that begins with a
dash "-" as an option. This is now prevented by forbidding such a hostname
and port number (again, which should not impact any real-world usage).
For more information, see:
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-1000117
(* Security fix *)
d/mercurial-4.3.1-x86_64-1.txz: Upgraded.
Fixes security issues:
Mercurial's symlink auditing was incomplete prior to 4.3, and could
be abused to write to files outside the repository.
Mercurial was not sanitizing hostnames passed to ssh, allowing
shell injection attacks on clients by specifying a hostname starting
with -oProxyCommand.
For more information, see:
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-1000115
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-1000116
(* Security fix *)
d/subversion-1.9.7-x86_64-1.txz: Upgraded.
Fixed client side arbitrary code execution vulnerability.
For more information, see:
https://subversion.apache.org/security/CVE-2017-9800-advisory.txt
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-9800
(* Security fix *)
l/libsoup-2.58.2-x86_64-1.txz: Upgraded.
Fixed a chunked decoding buffer overrun that could be exploited against
either clients or servers.
For more information, see:
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-2885
(* Security fix *)
n/samba-4.6.7-x86_64-1.txz: Upgraded.
tcl/tcl-8.6.7-x86_64-1.txz: Upgraded.
tcl/tk-8.6.7-x86_64-1.txz: Upgraded.

Fri Aug 11 23:02:43 UTC 2017
ap/cups-filters-1.16.1-i586-1.txz: Upgraded.
ap/mariadb-10.0.32-i586-1.txz: Upgraded.
ap/mpg123-1.25.6-i586-1.txz: Upgraded.
d/cmake-3.9.1-i586-1.txz: Upgraded.
d/git-2.14.1-i586-1.txz: Upgraded.
Fixes security issues:
A "ssh://..." URL can result in a "ssh" command line with a hostname that
begins with a dash "-", which would cause the "ssh" command to instead
(mis)treat it as an option. This is now prevented by forbidding such a
hostname (which should not impact any real-world usage).
Similarly, when GIT_PROXY_COMMAND is configured, the command is run with
host and port that are parsed out from "ssh://..." URL; a poorly written
GIT_PROXY_COMMAND could be tricked into treating a string that begins with a
dash "-" as an option. This is now prevented by forbidding such a hostname
and port number (again, which should not impact any real-world usage).
For more information, see:
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-1000117
(* Security fix *)
d/mercurial-4.3.1-i586-1.txz: Upgraded.
Fixes security issues:
Mercurial's symlink auditing was incomplete prior to 4.3, and could
be abused to write to files outside the repository.
Mercurial was not sanitizing hostnames passed to ssh, allowing
shell injection attacks on clients by specifying a hostname starting
with -oProxyCommand.
For more information, see:
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-1000115
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-1000116
(* Security fix *)
d/subversion-1.9.7-i586-1.txz: Upgraded.
Fixed client side arbitrary code execution vulnerability.
For more information, see:
https://subversion.apache.org/security/CVE-2017-9800-advisory.txt
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-9800
(* Security fix *)
l/libsoup-2.58.2-i586-1.txz: Upgraded.
Fixed a chunked decoding buffer overrun that could be exploited against
either clients or servers.
For more information, see:
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-2885
(* Security fix *)
n/samba-4.6.7-i586-1.txz: Upgraded.
tcl/tcl-8.6.7-i586-1.txz: Upgraded.
tcl/tk-8.6.7-i586-1.txz: Upgraded.